Security & Compliance

Commitment to Security and Compliance

Gmelius SA ("Gmelius"), the provider of Backup Space, is committed to safeguarding the confidentiality, integrity, and availability of customer data. We employ industry-leading security measures to ensure compliance with applicable data protection laws and regulatory requirements. This document provides an overview of our security policies, data protection practices, and compliance framework.

About Backup Space

Backup Space is a product developed, maintained, and operated by Gmelius SA, a Swiss-registered company (CHE-411.148.873). Gmelius is dedicated to advancing collaboration, automating business operations, and ensuring business continuity. Our corporate headquarters are located in Geneva, Switzerland.

Hosting and Deployment

Backup Space is deployed as a distributed, container-based application within Google Cloud Platform (GCP) across multiple regions, including the United States, Canada, Switzerland, the European Union, the United Kingdom, and Australia. GCP facilities comply with globally recognized security and privacy standards, including:

• SOC 1 (SSAE-16), SOC 2
• PCI DSS Level 1
• ISO 27001
• HIPAA
• FIPS 140-2

Customers may select their preferred data storage location upon initiating service. All physical infrastructure is managed exclusively by Google personnel; Gmelius employees do not have physical access to data centers. To enhance security, we enforce multi-factor authentication (MFA) across internal systems and adopt a "least privilege" access model to restrict data access strictly to operational necessities.

Data Storage and Encryption

Backup Space employs robust encryption protocols to protect customer data both in transit and at rest:

• In transit: TLS 1.3 encryption safeguards all data transmissions between service components.
• At rest: AES-256 encryption ensures the highest level of data security.

Customers also have the option to utilize their own Bring Your Own Key (BYOK) encryption method, such as Google Cloud Key Management Service (KMS), for additional control over data security.

Platform Security Features

Backup Space offers security features designed to protect data integrity and access control, including:

• Immutable audit logs that record all configuration changes, data access, and recovery operations.
• Identity and access management (IAM) via leading providers such as Okta (SAML) and Google, supporting MFA enforcement and IP-based access controls.

Backup and Resilience

Backup Space is built with high availability and disaster recovery capabilities using Google Kubernetes Engine (GKE). Our architecture ensures that:

• Redundant infrastructure automatically mitigates component failures.
• Data is continuously replicated to separate storage environments.
• Regular disaster recovery tests validate backup integrity and restoration processes.

Third-Party Subprocessors

Gmelius minimizes the use of subprocessors and ensures that all third-party vendors:

• Undergo regular security audits and compliance reviews.
• Comply with SOC 2 and/or ISO 27001 standards.
• Have a proven track record in data security and privacy compliance.

Customer data within our infrastructure remains encrypted at all times. Limited information is shared with third parties solely for essential operations, including payment processing through Stripe and customer relationship management via Attio and Gmelius.

A complete and up-to-date list of our subprocessors is available at: https://trust.gmelius.com

SOC 2 Type II Certification

Gmelius is SOC 2 Type II certified, demonstrating adherence to stringent security, availability, processing integrity, and confidentiality standards. Our security controls undergo continuous evaluation to ensure compliance with evolving regulatory requirements.

Penetration Testing and Secure Code Review

Gmelius engages independent security firms, including Pentest People, to conduct regular penetration testing and secure code reviews to proactively identify and remediate vulnerabilities.

Regulatory Compliance

Gmelius ensures compliance with multiple regulatory frameworks, including:

• General Data Protection Regulation (GDPR) – We support all data subject rights under GDPR and provide a Data Processing Addendum.
• California Consumer Privacy Act (CCPA) – We do not sell customer data and fully comply with CCPA rights and obligations.
• Health Insurance Portability and Accountability Act (HIPAA) – We sign Business Associate Agreements (BAAs) for customers processing Protected Health Information (PHI).
• UK National Cyber Security Centre (NCSC) – Backup Space aligns with NCSC's 14 Cloud Security Principles.
• Canadian Regulations:
  
  • PIPEDA – Gmelius protects personal information in accordance with the Personal Information Protection and Electronic Documents Act.
  • PHIPA – Backup Space complies with the Personal Health Information Protection Act to ensure secure handling of PHI.

Incident Response and Remediation

We maintain 24/7/365 system monitoring with advanced performance and security detection tools. In the event of a security incident:

• Immediate alerts are triggered for investigation by our security team.
• We collaborate with hosting providers to remediate vulnerabilities.
• System logs are retained for a minimum of seven (7) days for forensic analysis.

For major security incidents, users are promptly notified via our official communication channels, including our status page, blog, and email updates.

For more information, please contact our security team at [email protected].